What Then?

[originally published in Enterprise Conversation, a UBM/DeusM publication ]

If we’re being honest, the sweeping change that is
supposedly transforming our workplace, our lives, and our society through the
dissemination of smaller, more mobile, more connected devices has hit a stone
wall. We can kid ourselves into
believing there’s still a huge wave of forward momentum, mainly because big
waves are what marketing campaigns are based upon. But until we face our greatest fear and, more
specifically, stop attaching euphemisms to it like characters in “Harry Potter”
and call it by its name, the development of secure, mobile computing will
stagnate and die.

The problem is identity. While more than 9 of 10 executives say they’re
afraid of how cloud architectures will impact security, according to a
poll our Hailey McKeefry cited last week, the truth is that we are
reluctant to cross that line and enter the era where we trust our online
identity to any outside institution.
I’ve been told that online identity is a social issue, not a business
issue. This is the crux of our denial:
that who we are in public and how we work in business are not just separate
issues but separate identities.

There are many businesses that have solved the problem of
employees being able to validate that they are who they say they are, within
the domain of those businesses. Meanwhile,
most every analysis of the problem of identity theft is treated as a social,
rather than a business, issue. But the
identity system that validates the users of Android phones is the same system
that powers Hangouts through Google+. Facebook
and Microsoft would both seek to enter the ubiquitous identity business based
on the strength of passwords alone. And
corporations are taking action against their employees for what they tweet “in
public,” as if there were such a thing as “tweeting in private” — all while Twitter’s
lack of strong security is being blamed on China. The identity dichotomy we think we’re facing
is really a duplicity, an exercise in fooling ourselves.

The technology already exists for the validation of personal
identity, both in one’s private and professional lives:

Ultimately, the identity of individuals will
need to be secured through devices that are independent of employers and
governments, that are kept on our persons.
When stolen (inevitably) they will be rendered useless. Such devices will probably need to be tracked
using GPS.

The authenticity of the bearer of these devices
will need to be supplemented by a system stronger than a password, probably
biometric.

Both of these factors will still need to be
supplemented by an independent digital certificate. The authenticity of this certificate will
need to be vouched for by more than one authority simultaneously.

The privileges that a business gives an employee
to access confidential resources should be dispensed in the form of grants,
which are associated with all of the above factors independently. These grants, rather than any combination of
the above factors, should be what identifies the user of a business
network. Consider the power of an
authentication system that only grants access based on a pre-existing record of
explicit transactions which collectively serve to vouch for the user’s
authority. Consider how extremely
difficult it would be for anyone to forge such a grant.

Grants should be revocable by a business without
damaging the integrity of the user’s identity.
We have yet to face a wellspring of problems with Office 2013 users
unable to read the documents they created at work because their Microsoft
Accounts were secured with their revoked, at-work e-mail addresses. But just wait for it.

The privileges a user grants to any outside agent — a financial
institution, a government agency, an advertising network, a social network, an
e-mail contact — to access any of the user’s personal resources, including
mobile devices and browsers, should be dispensed in the same form of
grants. This way, the user is never
faced with a situation where she failed to see the “opt-out” warning. If I want an outside firm to render content
on my system, it will be because I said yes.

Users who are people and users who are not
people should be separate. If you think
this sounds like a superfluous suggestion, consider all the Web apps that may
or may not be running on your device right now which have already authenticated
themselves as you.

This is the crux of our denial: that who we are in public and how we work in business are not just separate issues but separate identities.

The slate of services which collectively serve to authenticate
users and grant access privileges, is the user’s portfolio. All of the
technology that can make this possible today, already exists — none of these
ideas are new. We tell ourselves we’re
afraid of creating a “national ID card,” or some similar thing, that we may
lose what remains of our privacy. And
yet what we claim to hold precious is leaking from our grasp like a sieve,
because the stopgap measures upon which we rely today are just too convenient.

All of the “But What If?” questions that arise from this
issue, deserve to be asked. None of them
are beyond being answered.

Scott Fulton On Point

First there was the wheel, and you have to admit, the wheel was cool. After that, you had the boat and the hamburger, and technology was chugging right along with that whole evolution thing. Then there was the Web, and you had to wonder, after the wheel and the hamburger, how did things make such a sudden left turn and get so messed up so quickly? Displaying all the symptoms of having spent 35 years in the technology news business, Scott Fulton (often known as Scott M. Fulton, III, formerly known as D. F. Scott, sometimes known as that loud guy in the corner making the hand gestures) has taken it upon himself to move evolution back to a more sensible track. Stay in touch and see how far he gets.

Scott M. Fulton, III, is the author of this blog, and all text contained therein is his own unless otherwise noted explicitly. Some content may have appeared in other publications first, before being reprinted here, and is reprinted according to publishing agreements. Scott Fulton is always responsible for his own content.